Event.sprintf question for use in logstash-filter-elasticsearch

nick-george · April 10, 2017, 7:34am

Hi,

Is there any way to get event.sprintf to print the entire event, not just individual fields? I'm trying to build a percolator query that contains the entire logstash event.

What I'd like my percolator query to look like:

{
  "query" : {
    "percolate" : {
       "field" : "query",
       "document_type" : "doctype",
       "document": { <THE ENTIRE LOGSTASH EVENT HERE>}
    }
  }
}

My logstash conf looks like

  elasticsearch {
      index => 'percolator'
      query_template => 'query_template.json' # The template above
  }

And the sprintf code in the filter I'm referring to is below. The query_dsl variable contains the content of the query_template.json file.

if @query_dsl
        query = LogStash::Json.load(event.sprintf(@query_dsl))
        params[:body] = query
...

Many thanks,
Nick George

nick-george · April 10, 2017, 10:51am

Just in case anyone else ever has this problem, I appear to have worked around it with the following logstash config.
It would work in any case where you need to jam the entire event into a single field (for whatever reason).

ruby { #Create a new field that contains the entire JSON dump of the event (as it currently stands)
  code => "event.set('event_json', event.to_json())"
}

elasticsearch {
  index => 'percolator'
  query_template => '/etc/logstash/query_template.json'
}

mutate {
  remove_field => 'event_json'
}

where the query_template.json file contains:

{
  "query" : {
    "percolate" : {
       "field" : "query",
       "document_type" : "doctype",
       "document": %{[event_json]}
    }
  }
}

system · May 8, 2017, 10:52am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.